I think the accounts mean organisations. For instance, he exploited this vulnerability to add his public key to the authorised rails user keys. He probably did this to two other "accounts". His exploit wasn't logging in or impersonating any other accounts AFAIK.